In June this year, police in India's financial capital Mumbai busted a card cloning racket that involved waiters at bars and restaurants across the city stealing data using credit card skimmers. The accused had managed to steal the credit card and debit card data of some 1,000 unsuspecting customers over a period of two years.
This was not a one-off incident. Between April and December last year, nearly 24,000 fraud cases related to credit, debit cards and internet banking were registered in India, Mint newspaper reported in April, citing Reserve Bank of India (RBI) data. In Mumbai alone, cases related to credit and debit card fraud jumped 42 percent in 2017, the Hindustan Times newspaper reported.
India was ranked among the top 5 countries with regard to credit card fraud, with more than one third of the people saying they had been scammed, according to the 2016 Global Consumer Fraud Report published by payments technology company ACI Worldwide.
"The reasons for this are manifold, but it is fair to say that the use of more sophisticated fraud prevention and a crackdown on criminals in Western Europe has forced criminal gangs to go elsewhere," Jay Floyd, the regional head of payments intelligence and fraud strategy at ACI Worldwide, told DW.
"Many of them are targeting countries that are still not fully EMV [chip and pin cards] compliant, countries such as India," he said.
India's digital push
India is witnessing a surge in digital payments thanks to Prime Minister Narendra Modi's 2016 decision to recall 86 percent of cash in circulation, and his government's aggressive push for a more cashless economy.
The number of credit cards rose by a quarter to more than 38 million in the 12 months ending in May, while the number of debit cards jumped 17 percent to over 925 million in the same period, according to RBI data.
But many of the cards continue to come with magnetic strips which store all important customer data and are more vulnerable to cloning.
The Indian central bank has instructed banks to issue more secure chip-enabled (EMV) cards, which require the customer to enter a PIN code or sign on the receipt.
The deadline to completely move to EMV cards is set for the end of this year. But with large numbers of ATMs and swiping machines still not EMV compliant, meeting the deadline could be a challenge.
"India is, in many ways, an easy target for criminals, a sizeable card base, demonetization and still some way to go before becoming truly EMV," Floyd said. "Criminal gangs are clearly seizing the opportunity to fill their boots."
Many of the new card owners in India are people from smaller cities who are not fully aware of ways to secure their banking transactions, making them a perfect target for criminal gangs.
Alarmed by the rise in incidents of fraud, the Indian government and banks are running awareness campaigns to educate card owners about the dangers and pitfalls.
Altaf Halde, cybersecurity global business head at the cybersecurity consulting firm Network Intelligence, told DW that the awareness campaign around these issues is already bearing results.
"People now are more comfortable lodging complaints of fraud with the law enforcement agencies," he said. "Credit card frauds have been a problem for quite some time now, it's only now they are being widely reported and discussed."
Rahul Tyagi, co-founder of cyber security firm Lucideus, told DW that the government should go a step further and make it mandatory for banks officials to "explain to every new customer the risks involved in layman's terms."
What is credit card cloning?
Credit card cloning is a form of identity theft in which scammers create a fake credit card by using data stolen from a person's actual card.
Creating a credit card clone is not rocket science. All a scammer needs to do is to swipe your card on a device known as a skimmer, which is readily available even on some popular e-commerce websites for as little as $20 (€17). The skimmer can be placed at ATMs, retail stores or simply be carried around in one's hand.
"The skimmer, unlike the regular swiping machines, permanently stores a person's data, which can be easily retrieved using software," Tyagi said.
The scammer then transfers the data to another card with a magnetic strip such as a hotel key or an old credit or debit card — a reason why banks ask their customers to cut their old cards into pieces — and use it to make purchases.
How do I protect myself?
Don't let your card out of sight. The waiters in Mumbai managed to steal data because unsuspecting customers would hand over their cards, which would then be secretly swiped and skimmed.
Register your mobile number with the bank and subscribe for alerts for your transactions. Inform your bank as soon as you notice any suspicious spending and have your card blocked.
Inspect an ATM before transacting and do not insert your card if you find any suspicious device connected to the machine. Halde suggests entering the wrong PIN in the first attempt to ascertain if the machine is rigged or not.
Memorize your CVV number — the three digit number at the back of your card — and then scratch it from your card.
But giving up on your card for good is not the solution, Tyagi says. "Think about the benefits that cards and other digital payment methods offer. You just need to be more careful and aware."